One week ago, the Biden administration unveiled its long-awaited U.S. National Cybersecurity Strategy, with an eye toward centralizing government cyber resources and holding IT vendors more accountable for their digital defenses. Now that the ink is dry on the 35-page document, top officials like Acting National Cyber Director Kemba Walden are busy putting it into action.
But what does all the buzz around the strategy mean for security leaders in the field? Between proposed changes to cyber liability to the strategy’s broad-brush focus on a “defensible, resilient digital ecosystem,” it’s hard to unpack what’s at stake.
This is a policy roadmap, not new legislation or federal regulation. And while I welcome the White House’s efforts to align its approach to pressing cyberthreats, it may be several months before many of the Biden administration’s plans translate into real change.
Even though the outlook for cybersecurity legislation is bleak in a divided Congress, it’s likely the White House will follow through with building public-private partnerships and setting more cybersecurity requirements, among other moves. Here’s my read on what the strategy could bring for security leaders:
The White House has made no secret of that fact that it’s setting a high bar for government agencies in the face of ever-growing cyber threats to federal networks. Just last week, the U.S. Marshals Service announced it was investigating a breach that compromised sensitive information at the law enforcement agency. That ransomware attack underscores what’s at stake for the new strategy.
President Biden issued Executive Order 14028 in the first six months of his presidency, which set in motion a series of changes “to keep pace with today’s dynamic and increasingly sophisticated cyber threat environment.” Add to that the zero-trust requirements laid out by last year’s M-22-09 White House memo, and it’s no surprise that the new strategy doubles down on the need to modernize federal IT (and operational technology) systems.
For federal CIOs, this means not just adopting a zero-trust architecture but also removing legacy systems riddled with vulnerabilities, heeding Cybersecurity and Infrastructure Security Agency directives and rolling out new cybersecurity tools to defend the ongoing shift to the cloud.
It’s bound to be a bumpy ride. But a strong federal defense is well worth the effort, as cyber criminals and nation-state adversaries alike probe U.S. government networks continuously for vulnerabilities. And we’re ready to support our public sector customers in the U.S. and internationally with continuous security testing to transform their cybersecurity postures in a FedRAMP Moderate environment. The bottom line: Better security testing is needed to align with the Biden administration’s vision for the National Cybersecurity Strategy.
The strategy’s biggest potential changes would affect software vendors that introduce vulnerabilities into high-risk products. The White House is proposing a fundamental shift in the way companies are held accountable for data breaches, moving responsibility away from the end user and toward the producers of vulnerable software.
The message from the Biden administration is clear: It’s no longer enough for company leaders to pay lip service to cyber defenses early in the software development life cycle (SDLC). It’s not sustainable to say, “I checked the box, and my regulators are satisfied.” Will that insulate organizations from liability? Can internal security teams scale up to meet future regulations? Executives may need to turn to trusted third parties to help lock down their software before it can be exploited by attackers.
Companies that can prove they’re proactively fixing gaps in their security programs should expect to be covered by a “safe harbor” framework exempting them from liability in the event of a breach. While it’s impossible to prevent all vulnerabilities, the White House is asking organizations to at least show their work.
The White House may have a hard time advancing some of these changes through Congress. And any updates to liability provisions should measurably improve secure software practices, not backfire by prompting companies to allocate more of their limited resources to legal teams. I’m also wary of the White House proposals for new regulations, given how quickly attackers adapt their tactics to duck and weave around static security requirements.
However, many of the points raised in the National Cybersecurity Strategy are already surfacing in board-level discussions at publicly traded companies. Board members want CISOs to bring concrete data supporting the long-term effectiveness of their cybersecurity programs. Strategic partners like Synack can help furnish that data – for instance, by revealing the root causes of vulnerabilities through our platform rather than simply reporting one-off flaws – but some industries are ahead of others when it comes to putting in the effort to improve their security postures over time.
If the White House follows through with its strategy, companies behind the curve on their security programs may have to play catchup.
Mark Kuhr is the chief technology officer and co-founder of Synack.